1*647a425cSAndrew Rist /************************************************************** 2cdf0e10cSrcweir * 3*647a425cSAndrew Rist * Licensed to the Apache Software Foundation (ASF) under one 4*647a425cSAndrew Rist * or more contributor license agreements. See the NOTICE file 5*647a425cSAndrew Rist * distributed with this work for additional information 6*647a425cSAndrew Rist * regarding copyright ownership. The ASF licenses this file 7*647a425cSAndrew Rist * to you under the Apache License, Version 2.0 (the 8*647a425cSAndrew Rist * "License"); you may not use this file except in compliance 9*647a425cSAndrew Rist * with the License. You may obtain a copy of the License at 10cdf0e10cSrcweir * 11*647a425cSAndrew Rist * http://www.apache.org/licenses/LICENSE-2.0 12cdf0e10cSrcweir * 13*647a425cSAndrew Rist * Unless required by applicable law or agreed to in writing, 14*647a425cSAndrew Rist * software distributed under the License is distributed on an 15*647a425cSAndrew Rist * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 16*647a425cSAndrew Rist * KIND, either express or implied. See the License for the 17*647a425cSAndrew Rist * specific language governing permissions and limitations 18*647a425cSAndrew Rist * under the License. 19cdf0e10cSrcweir * 20*647a425cSAndrew Rist *************************************************************/ 21*647a425cSAndrew Rist 22*647a425cSAndrew Rist 23cdf0e10cSrcweir 24cdf0e10cSrcweir // MARKER(update_precomp.py): autogen include statement, do not remove 25cdf0e10cSrcweir #include "precompiled_stoc.hxx" 26cdf0e10cSrcweir 27cdf0e10cSrcweir #include <stdio.h> 28cdf0e10cSrcweir 29cdf0e10cSrcweir #include <sal/main.h> 30cdf0e10cSrcweir #include <osl/diagnose.h> 31cdf0e10cSrcweir #include <osl/socket.hxx> 32cdf0e10cSrcweir #include <rtl/string.hxx> 33cdf0e10cSrcweir #include <rtl/ustrbuf.hxx> 34cdf0e10cSrcweir #include <uno/current_context.hxx> 35cdf0e10cSrcweir 36cdf0e10cSrcweir #include <cppuhelper/implbase1.hxx> 37cdf0e10cSrcweir #include <cppuhelper/bootstrap.hxx> 38cdf0e10cSrcweir #include <cppuhelper/access_control.hxx> 39cdf0e10cSrcweir 40cdf0e10cSrcweir #include <com/sun/star/lang/XComponent.hpp> 41cdf0e10cSrcweir #include <com/sun/star/uno/XCurrentContext.hpp> 42cdf0e10cSrcweir 43cdf0e10cSrcweir #include <com/sun/star/io/FilePermission.hpp> 44cdf0e10cSrcweir 45cdf0e10cSrcweir #define USER_CREDS "access-control.user-credentials" 46cdf0e10cSrcweir #define OUSTR(x) ::rtl::OUString( RTL_CONSTASCII_USTRINGPARAM(x) ) 47cdf0e10cSrcweir 48cdf0e10cSrcweir 49cdf0e10cSrcweir using namespace ::osl; 50cdf0e10cSrcweir using namespace ::rtl; 51cdf0e10cSrcweir using namespace ::cppu; 52cdf0e10cSrcweir using namespace ::com::sun::star; 53cdf0e10cSrcweir using namespace ::com::sun::star::uno; 54cdf0e10cSrcweir 55cdf0e10cSrcweir //-------------------------------------------------------------------------------------------------- 56cdf0e10cSrcweir static OUString localhost( OUString const & addition ) SAL_THROW( () ) 57cdf0e10cSrcweir { 58cdf0e10cSrcweir static OUString ip; 59cdf0e10cSrcweir if (! ip.getLength()) 60cdf0e10cSrcweir { 61cdf0e10cSrcweir // dns lookup 62cdf0e10cSrcweir SocketAddr addr; 63cdf0e10cSrcweir SocketAddr::resolveHostname( OUSTR("localhost"), addr ); 64cdf0e10cSrcweir ::oslSocketResult rc = ::osl_getDottedInetAddrOfSocketAddr( addr.getHandle(), &ip.pData ); 65cdf0e10cSrcweir if (::osl_Socket_Ok != rc) 66cdf0e10cSrcweir fprintf(stdout, "### cannot resolve localhost!" ); 67cdf0e10cSrcweir } 68cdf0e10cSrcweir OUStringBuffer buf( 48 ); 69cdf0e10cSrcweir buf.append( ip ); 70cdf0e10cSrcweir buf.append( addition ); 71cdf0e10cSrcweir return buf.makeStringAndClear(); 72cdf0e10cSrcweir } 73cdf0e10cSrcweir 74cdf0e10cSrcweir //-------------------------------------------------------------------------------------------------- 75cdf0e10cSrcweir static inline void dispose( Reference< XInterface > const & x ) 76cdf0e10cSrcweir SAL_THROW( (RuntimeException) ) 77cdf0e10cSrcweir { 78cdf0e10cSrcweir Reference< lang::XComponent > xComp( x, UNO_QUERY ); 79cdf0e10cSrcweir if (xComp.is()) 80cdf0e10cSrcweir { 81cdf0e10cSrcweir xComp->dispose(); 82cdf0e10cSrcweir } 83cdf0e10cSrcweir } 84cdf0e10cSrcweir //================================================================================================== 85cdf0e10cSrcweir class user_CurrentContext 86cdf0e10cSrcweir : public ImplHelper1< XCurrentContext > 87cdf0e10cSrcweir { 88cdf0e10cSrcweir oslInterlockedCount m_refcount; 89cdf0e10cSrcweir 90cdf0e10cSrcweir Reference< XCurrentContext > m_xDelegate; 91cdf0e10cSrcweir Any m_userId; 92cdf0e10cSrcweir 93cdf0e10cSrcweir public: 94cdf0e10cSrcweir inline user_CurrentContext( 95cdf0e10cSrcweir Reference< XCurrentContext > const & xDelegate, 96cdf0e10cSrcweir OUString const & userId ) 97cdf0e10cSrcweir SAL_THROW( () ) 98cdf0e10cSrcweir : m_refcount( 0 ) 99cdf0e10cSrcweir , m_xDelegate( xDelegate ) 100cdf0e10cSrcweir , m_userId( makeAny( userId ) ) 101cdf0e10cSrcweir {} 102cdf0e10cSrcweir 103cdf0e10cSrcweir // XInterface impl 104cdf0e10cSrcweir virtual void SAL_CALL acquire() 105cdf0e10cSrcweir throw (); 106cdf0e10cSrcweir virtual void SAL_CALL release() 107cdf0e10cSrcweir throw (); 108cdf0e10cSrcweir 109cdf0e10cSrcweir // XCurrentContext impl 110cdf0e10cSrcweir virtual Any SAL_CALL getValueByName( OUString const & name ) 111cdf0e10cSrcweir throw (RuntimeException); 112cdf0e10cSrcweir }; 113cdf0e10cSrcweir //__________________________________________________________________________________________________ 114cdf0e10cSrcweir void user_CurrentContext::acquire() 115cdf0e10cSrcweir throw () 116cdf0e10cSrcweir { 117cdf0e10cSrcweir ::osl_incrementInterlockedCount( &m_refcount ); 118cdf0e10cSrcweir } 119cdf0e10cSrcweir //__________________________________________________________________________________________________ 120cdf0e10cSrcweir void user_CurrentContext::release() 121cdf0e10cSrcweir throw () 122cdf0e10cSrcweir { 123cdf0e10cSrcweir if (! ::osl_decrementInterlockedCount( &m_refcount )) 124cdf0e10cSrcweir { 125cdf0e10cSrcweir delete this; 126cdf0e10cSrcweir } 127cdf0e10cSrcweir } 128cdf0e10cSrcweir //__________________________________________________________________________________________________ 129cdf0e10cSrcweir Any user_CurrentContext::getValueByName( OUString const & name ) 130cdf0e10cSrcweir throw (RuntimeException) 131cdf0e10cSrcweir { 132cdf0e10cSrcweir if (name.equalsAsciiL( RTL_CONSTASCII_STRINGPARAM(USER_CREDS ".id") )) 133cdf0e10cSrcweir { 134cdf0e10cSrcweir return m_userId; 135cdf0e10cSrcweir } 136cdf0e10cSrcweir else if (m_xDelegate.is()) 137cdf0e10cSrcweir { 138cdf0e10cSrcweir return m_xDelegate->getValueByName( name ); 139cdf0e10cSrcweir } 140cdf0e10cSrcweir else 141cdf0e10cSrcweir { 142cdf0e10cSrcweir return Any(); 143cdf0e10cSrcweir } 144cdf0e10cSrcweir } 145cdf0e10cSrcweir 146cdf0e10cSrcweir // prepends line number 147cdf0e10cSrcweir #define CHECK( check, negative_test ) \ 148cdf0e10cSrcweir { \ 149cdf0e10cSrcweir try \ 150cdf0e10cSrcweir { \ 151cdf0e10cSrcweir if (negative_test) \ 152cdf0e10cSrcweir { \ 153cdf0e10cSrcweir bool thrown = true; \ 154cdf0e10cSrcweir try \ 155cdf0e10cSrcweir { \ 156cdf0e10cSrcweir check; \ 157cdf0e10cSrcweir thrown = false; \ 158cdf0e10cSrcweir } \ 159cdf0e10cSrcweir catch (RuntimeException &) \ 160cdf0e10cSrcweir { \ 161cdf0e10cSrcweir } \ 162cdf0e10cSrcweir if (! thrown) \ 163cdf0e10cSrcweir { \ 164cdf0e10cSrcweir throw RuntimeException( \ 165cdf0e10cSrcweir OUSTR("expected RuntimeException upon check!"), Reference< XInterface >() ); \ 166cdf0e10cSrcweir } \ 167cdf0e10cSrcweir } \ 168cdf0e10cSrcweir else \ 169cdf0e10cSrcweir { \ 170cdf0e10cSrcweir check; \ 171cdf0e10cSrcweir } \ 172cdf0e10cSrcweir } \ 173cdf0e10cSrcweir catch (RuntimeException & exc) \ 174cdf0e10cSrcweir { \ 175cdf0e10cSrcweir OUStringBuffer buf( 64 ); \ 176cdf0e10cSrcweir buf.appendAscii( RTL_CONSTASCII_STRINGPARAM("[line ") ); \ 177cdf0e10cSrcweir buf.append( (sal_Int32)__LINE__ ); \ 178cdf0e10cSrcweir buf.appendAscii( RTL_CONSTASCII_STRINGPARAM("] ") ); \ 179cdf0e10cSrcweir buf.append( exc.Message ); \ 180cdf0e10cSrcweir throw RuntimeException( buf.makeStringAndClear(), Reference< XInterface >() ); \ 181cdf0e10cSrcweir } \ 182cdf0e10cSrcweir } 183cdf0e10cSrcweir 184cdf0e10cSrcweir /* 185cdf0e10cSrcweir grant 186cdf0e10cSrcweir { 187cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///usr/bin/ *", "read"; 188cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///tmp/-", "read,write"; 189cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///etc/profile", "read"; 190cdf0e10cSrcweir 191cdf0e10cSrcweir permission com.sun.star.security.RuntimePermission "DEF"; 192cdf0e10cSrcweir 193cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "127.0.0.1:-1023", "resolve, connect, listen"; 194cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "localhost:1024-", "accept, connect, listen, resolve,"; 195cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "*.sun.com:1024-", "resolve"; 196cdf0e10cSrcweir }; 197cdf0e10cSrcweir */ 198cdf0e10cSrcweir static void check_defaults_pos( AccessControl & ac, bool invert = false ) 199cdf0e10cSrcweir { 200cdf0e10cSrcweir // positive tests 201cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/bla"), OUSTR("read") ), invert ); 202cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///tmp/bla"), OUSTR("read,write") ), invert ); 203cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///tmp/path/path/bla"), OUSTR("write") ), invert ); 204cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///etc/profile"), OUSTR("read") ), invert ); 205cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("DEF") ), invert ); 206cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:1024"), OUSTR("connect") ), invert ); 207cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:65535"), OUSTR("resolve") ), invert ); 208cdf0e10cSrcweir CHECK( ac.checkSocketPermission( localhost(OUSTR(":2048")), OUSTR("accept,listen") ), invert ); 209cdf0e10cSrcweir CHECK( ac.checkSocketPermission( localhost(OUSTR(":1024-")), OUSTR("accept,connect,listen,resolve") ), invert ); 210cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:-1023"), OUSTR("resolve,listen,connect") ), invert ); 211cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("jl-1036.germany.sun.com:1024-"), OUSTR("resolve") ), invert ); 212cdf0e10cSrcweir } 213cdf0e10cSrcweir static void check_defaults_neg( AccessControl & ac, bool invert = false ) 214cdf0e10cSrcweir { 215cdf0e10cSrcweir // negative tests 216cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/tmp"), OUSTR("read") ), !invert ); 217cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///"), OUSTR("read") ), !invert ); 218cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin"), OUSTR("read") ), !invert ); 219cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/bla"), OUSTR("write") ), !invert ); 220cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/bla"), OUSTR("execute") ), !invert ); 221cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/bin/path/bla"), OUSTR("read") ), !invert ); 222cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///tmp"), OUSTR("read") ), !invert ); 223cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///tmp/"), OUSTR("read") ), !invert ); 224cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///tm"), OUSTR("read") ), !invert ); 225cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///etc/profile"), OUSTR("write") ), !invert ); 226cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///etc/profile/bla"), OUSTR("read") ), !invert ); 227cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///etc/blabla"), OUSTR("read,write,execute") ), !invert ); 228cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/root"), OUSTR("read,write,execute") ), !invert ); 229cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUSTR("read,write,execute") ), !invert ); 230cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUSTR("delete") ), !invert ); 231cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUString() ), !invert ); 232cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("ROOT") ), !invert ); 233cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:1023"), OUSTR("accept") ), !invert ); 234cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:123-"), OUSTR("accept") ), !invert ); 235cdf0e10cSrcweir CHECK( ac.checkSocketPermission( localhost(OUSTR(":-1023")), OUSTR("accept") ), !invert ); 236cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("localhost:-1023"), OUSTR("accept,resolve") ), !invert ); 237cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("sun.com:1024-"), OUSTR("resolve") ), !invert ); 238cdf0e10cSrcweir } 239cdf0e10cSrcweir 240cdf0e10cSrcweir /* 241cdf0e10cSrcweir grant user "dbo" 242cdf0e10cSrcweir { 243cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///home/dbo/-", "read,write"; 244cdf0e10cSrcweir permission com.sun.star.io.FilePermission "-", "read,write"; 245cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///usr/local/dbo/ *", "read"; 246cdf0e10cSrcweir 247cdf0e10cSrcweir permission com.sun.star.security.RuntimePermission "DBO"; 248cdf0e10cSrcweir 249cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "dbo-1:1024-", "listen"; 250cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "dbo-11081:-1023", "resolve"; 251cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "dbo-11081:18", "listen"; 252cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "dbo-11081:20-24", "listen"; 253cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "dbo-11081", "connect"; 254cdf0e10cSrcweir }; 255cdf0e10cSrcweir */ 256cdf0e10cSrcweir static void check_dbo_pos( AccessControl & ac, bool invert = false ) 257cdf0e10cSrcweir { 258cdf0e10cSrcweir check_defaults_pos( ac, invert ); 259cdf0e10cSrcweir // positive tests 260cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read") ), invert ); 261cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("write") ), invert ); 262cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write") ), invert ); 263cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/bla"), OUSTR("read,write") ), invert ); 264cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/path/bla"), OUSTR("read,write") ), invert ); 265cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/*"), OUSTR("read") ), invert ); 266cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/bla"), OUSTR("read") ), invert ); 267cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("DBO") ), invert ); 268cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-1:1024-"), OUSTR("listen") ), invert ); 269cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-1:2048-3122"), OUSTR("listen") ), invert ); 270cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-1:2048-"), OUSTR("listen") ), invert ); 271cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:-1023"), OUSTR("resolve") ), invert ); 272cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:20-1023"), OUSTR("resolve") ), invert ); 273cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:18"), OUSTR("listen") ), invert ); 274cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:20-24"), OUSTR("listen") ), invert ); 275cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:22"), OUSTR("listen") ), invert ); 276cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081"), OUSTR("connect") ), invert ); 277cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:22"), OUSTR("connect") ), invert ); 278cdf0e10cSrcweir } 279cdf0e10cSrcweir static void check_dbo_neg( AccessControl & ac, bool invert = false ) 280cdf0e10cSrcweir { 281cdf0e10cSrcweir check_defaults_neg( ac, invert ); 282cdf0e10cSrcweir // negative tests 283cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/-"), OUSTR("read") ), !invert ); 284cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read") ), !invert ); 285cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("write") ), !invert ); 286cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read,write") ), !invert ); 287cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/path/bla"), OUSTR("read") ), !invert ); 288cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/path/bla"), OUSTR("read,execute") ), !invert ); 289cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/-"), OUSTR("read") ), !invert ); 290cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/path/bla"), OUSTR("read") ), !invert ); 291cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/path/path/bla"), OUSTR("read") ), !invert ); 292cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("JBU") ), !invert ); 293cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081"), OUSTR("listen") ), !invert ); 294cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081:22"), OUSTR("accept") ), !invert ); 295cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("jbu-11096:22"), OUSTR("resolve") ), !invert ); 296cdf0e10cSrcweir } 297cdf0e10cSrcweir 298cdf0e10cSrcweir /* 299cdf0e10cSrcweir grant user "jbu" 300cdf0e10cSrcweir { 301cdf0e10cSrcweir permission com.sun.star.io.FilePermission "file:///home/jbu/-", "read,write"; 302cdf0e10cSrcweir permission com.sun.star.io.FilePermission "*", "read,write"; 303cdf0e10cSrcweir 304cdf0e10cSrcweir permission com.sun.star.security.RuntimePermission "JBU"; 305cdf0e10cSrcweir 306cdf0e10cSrcweir permission com.sun.star.connection.SocketPermission "jbu-11096","resolve"; 307cdf0e10cSrcweir }; 308cdf0e10cSrcweir */ 309cdf0e10cSrcweir static void check_jbu_pos( AccessControl & ac, bool invert = false ) 310cdf0e10cSrcweir { 311cdf0e10cSrcweir check_defaults_pos( ac, invert ); 312cdf0e10cSrcweir // positive tests 313cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read") ), invert ); 314cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("write") ), invert ); 315cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/bla"), OUSTR("read,write") ), invert ); 316cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/path/bla"), OUSTR("read,write") ), invert ); 317cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/jbu/path/path/bla"), OUSTR("read,write") ), invert ); 318cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("JBU") ), invert ); 319cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("jbu-11096"), OUSTR("resolve") ), invert ); 320cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("jbu-11096:20-24"), OUSTR("resolve") ), invert ); 321cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081.germany.sun.com:2048"), OUSTR("resolve") ), invert ); 322cdf0e10cSrcweir } 323cdf0e10cSrcweir static void check_jbu_neg( AccessControl & ac, bool invert = false ) 324cdf0e10cSrcweir { 325cdf0e10cSrcweir check_defaults_neg( ac, invert ); 326cdf0e10cSrcweir // negative tests 327cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/-"), OUSTR("read") ), !invert ); 328cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/bla"), OUSTR("read") ), !invert ); 329cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/path/path/bla"), OUSTR("read") ), !invert ); 330cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read") ), !invert ); 331cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("write") ), !invert ); 332cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write") ), !invert ); 333cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/-"), OUSTR("read") ), !invert ); 334cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/bla"), OUSTR("read") ), !invert ); 335cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///usr/local/dbo/path/path/bla"), OUSTR("read") ), !invert ); 336cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("DBO") ), !invert ); 337cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("jbu-11096:20-24"), OUSTR("accept") ), !invert ); 338cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081"), OUSTR("connect") ), !invert ); 339cdf0e10cSrcweir CHECK( ac.checkSocketPermission( OUSTR("dbo-11081.germany.sun.com"), OUSTR("connect") ), !invert ); 340cdf0e10cSrcweir } 341cdf0e10cSrcweir 342cdf0e10cSrcweir /* 343cdf0e10cSrcweir grant principal "root" 344cdf0e10cSrcweir { 345cdf0e10cSrcweir permission com.sun.star.security.AllPermission; 346cdf0e10cSrcweir }; 347cdf0e10cSrcweir */ 348cdf0e10cSrcweir //================================================================================================== 349cdf0e10cSrcweir static void check_root_pos( AccessControl & ac, bool invert = false ) 350cdf0e10cSrcweir { 351cdf0e10cSrcweir check_defaults_pos( ac, invert ); 352cdf0e10cSrcweir check_defaults_neg( ac, !invert ); 353cdf0e10cSrcweir check_dbo_pos( ac, invert ); 354cdf0e10cSrcweir check_dbo_neg( ac, !invert ); 355cdf0e10cSrcweir check_jbu_pos( ac, invert ); 356cdf0e10cSrcweir check_jbu_neg( ac, !invert ); 357cdf0e10cSrcweir // some more root positive 358cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///etc/blabla"), OUSTR("read,write,execute") ), invert ); 359cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///home/root"), OUSTR("read,write,execute") ), invert ); 360cdf0e10cSrcweir CHECK( ac.checkFilePermission( OUSTR("file:///root"), OUSTR("read,write,execute") ), invert ); 361cdf0e10cSrcweir CHECK( ac.checkRuntimePermission( OUSTR("ROOT") ), invert ); 362cdf0e10cSrcweir } 363cdf0e10cSrcweir 364cdf0e10cSrcweir //================================================================================================== 365cdf0e10cSrcweir class acc_Restr 366cdf0e10cSrcweir : public WeakImplHelper1< security::XAccessControlContext > 367cdf0e10cSrcweir { 368cdf0e10cSrcweir Any m_perm; 369cdf0e10cSrcweir 370cdf0e10cSrcweir public: 371cdf0e10cSrcweir inline acc_Restr( Any const & perm = Any() ) SAL_THROW( () ) 372cdf0e10cSrcweir : m_perm( perm ) 373cdf0e10cSrcweir {} 374cdf0e10cSrcweir 375cdf0e10cSrcweir // XAccessControlContext impl 376cdf0e10cSrcweir virtual void SAL_CALL checkPermission( Any const & perm ) 377cdf0e10cSrcweir throw (RuntimeException); 378cdf0e10cSrcweir }; 379cdf0e10cSrcweir //__________________________________________________________________________________________________ 380cdf0e10cSrcweir void acc_Restr::checkPermission( Any const & perm ) 381cdf0e10cSrcweir throw (RuntimeException) 382cdf0e10cSrcweir { 383cdf0e10cSrcweir if (perm != m_perm) 384cdf0e10cSrcweir { 385cdf0e10cSrcweir throw security::AccessControlException( 386cdf0e10cSrcweir OUSTR("dyn violation!"), Reference< XInterface >(), perm ); 387cdf0e10cSrcweir } 388cdf0e10cSrcweir } 389cdf0e10cSrcweir 390cdf0e10cSrcweir typedef void (* t_action)( AccessControl &, Any const & arg ); 391cdf0e10cSrcweir 392cdf0e10cSrcweir //================================================================================================== 393cdf0e10cSrcweir class Action 394cdf0e10cSrcweir : public WeakImplHelper1< security::XAction > 395cdf0e10cSrcweir { 396cdf0e10cSrcweir t_action m_action; 397cdf0e10cSrcweir AccessControl & m_ac; 398cdf0e10cSrcweir Any m_arg; 399cdf0e10cSrcweir 400cdf0e10cSrcweir public: 401cdf0e10cSrcweir inline Action( t_action action, AccessControl & ac, Any const & arg = Any() ) SAL_THROW( () ) 402cdf0e10cSrcweir : m_action( action ) 403cdf0e10cSrcweir , m_ac( ac ) 404cdf0e10cSrcweir , m_arg( arg ) 405cdf0e10cSrcweir {} 406cdf0e10cSrcweir 407cdf0e10cSrcweir // XAction impl 408cdf0e10cSrcweir virtual Any SAL_CALL run() 409cdf0e10cSrcweir throw (Exception); 410cdf0e10cSrcweir }; 411cdf0e10cSrcweir //__________________________________________________________________________________________________ 412cdf0e10cSrcweir Any Action::run() 413cdf0e10cSrcweir throw (Exception) 414cdf0e10cSrcweir { 415cdf0e10cSrcweir (*m_action)( m_ac, m_arg ); 416cdf0e10cSrcweir return Any(); 417cdf0e10cSrcweir } 418cdf0e10cSrcweir 419cdf0e10cSrcweir //================================================================================================== 420cdf0e10cSrcweir // static void restr_file_permissions( AccessControl & ac ) 421cdf0e10cSrcweir // { 422cdf0e10cSrcweir // // running in dbo's domain 423cdf0e10cSrcweir // /* permission com.sun.star.io.FilePermission "file:///home/dbo/-", ",,read , write "; */ 424cdf0e10cSrcweir // CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write,execute") ), true ); 425cdf0e10cSrcweir // CHECK( ac.checkFilePermission( OUSTR("file:///home/dbo/bla"), OUSTR("read,write") ), false ); 426cdf0e10cSrcweir // } 427cdf0e10cSrcweir //================================================================================================== 428cdf0e10cSrcweir static void all_dbo_permissions( AccessControl & ac, Any const & ) 429cdf0e10cSrcweir { 430cdf0e10cSrcweir check_dbo_pos( ac ); 431cdf0e10cSrcweir check_dbo_neg( ac ); 432cdf0e10cSrcweir } 433cdf0e10cSrcweir //================================================================================================== 434cdf0e10cSrcweir static void no_permissions( AccessControl & ac, Any const & arg ) 435cdf0e10cSrcweir { 436cdf0e10cSrcweir check_dbo_pos( ac, true ); 437cdf0e10cSrcweir check_dbo_neg( ac ); 438cdf0e10cSrcweir // set privs to old dbo restr 439cdf0e10cSrcweir Reference< security::XAccessControlContext > xContext; 440cdf0e10cSrcweir OSL_VERIFY( arg >>= xContext ); 441cdf0e10cSrcweir ac->doPrivileged( 442cdf0e10cSrcweir new Action( all_dbo_permissions, ac ), 443cdf0e10cSrcweir xContext ); 444cdf0e10cSrcweir } 445cdf0e10cSrcweir //================================================================================================== 446cdf0e10cSrcweir static void check_dbo_dynamic( AccessControl & ac ) 447cdf0e10cSrcweir { 448cdf0e10cSrcweir Any arg( makeAny( ac->getContext() ) ); 449cdf0e10cSrcweir ac->doRestricted( 450cdf0e10cSrcweir new Action( no_permissions, ac, arg ), 451cdf0e10cSrcweir new acc_Restr() ); 452cdf0e10cSrcweir } 453cdf0e10cSrcweir 454cdf0e10cSrcweir SAL_IMPLEMENT_MAIN() 455cdf0e10cSrcweir { 456cdf0e10cSrcweir try 457cdf0e10cSrcweir { 458cdf0e10cSrcweir // single-user test 459cdf0e10cSrcweir Reference< XComponentContext > xContext( defaultBootstrap_InitialComponentContext( 460cdf0e10cSrcweir OUSTR("../../test/security/test_security_singleuser.ini") ) ); 461cdf0e10cSrcweir { 462cdf0e10cSrcweir ::fprintf( stderr, "[security test] single-user checking dbo..." ); 463cdf0e10cSrcweir AccessControl ac( xContext ); 464cdf0e10cSrcweir check_dbo_pos( ac ); 465cdf0e10cSrcweir check_dbo_neg( ac ); 466cdf0e10cSrcweir check_dbo_dynamic( ac ); 467cdf0e10cSrcweir ::fprintf( stderr, "dbo checked.\n" ); 468cdf0e10cSrcweir } 469cdf0e10cSrcweir 470cdf0e10cSrcweir // multi-user test 471cdf0e10cSrcweir dispose( xContext ); 472cdf0e10cSrcweir xContext = defaultBootstrap_InitialComponentContext( 473cdf0e10cSrcweir OUSTR("../../test/security/test_security.ini") ); // UNO_AC=on 474cdf0e10cSrcweir AccessControl ac( xContext ); 475cdf0e10cSrcweir 476cdf0e10cSrcweir { 477cdf0e10cSrcweir // set up dbo current context 478cdf0e10cSrcweir ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("dbo") ) ); 479cdf0e10cSrcweir ::fprintf( stderr, "[security test] multi-user checking dbo..." ); 480cdf0e10cSrcweir check_dbo_pos( ac ); 481cdf0e10cSrcweir check_dbo_neg( ac ); 482cdf0e10cSrcweir check_dbo_dynamic( ac ); 483cdf0e10cSrcweir ::fprintf( stderr, "dbo checked.\n" ); 484cdf0e10cSrcweir } 485cdf0e10cSrcweir { 486cdf0e10cSrcweir // set up jbu current context 487cdf0e10cSrcweir ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("jbu") ) ); 488cdf0e10cSrcweir ::fprintf( stderr, "[security test] multi-user checking jbu..." ); 489cdf0e10cSrcweir check_jbu_pos( ac ); 490cdf0e10cSrcweir check_jbu_neg( ac ); 491cdf0e10cSrcweir ::fprintf( stderr, "jbu checked.\n" ); 492cdf0e10cSrcweir } 493cdf0e10cSrcweir { 494cdf0e10cSrcweir // set up root current context 495cdf0e10cSrcweir ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("root") ) ); 496cdf0e10cSrcweir ::fprintf( stderr, "[security test] multi-user checking root..." ); 497cdf0e10cSrcweir check_root_pos( ac ); 498cdf0e10cSrcweir ::fprintf( stderr, "root checked.\n" ); 499cdf0e10cSrcweir } 500cdf0e10cSrcweir { 501cdf0e10cSrcweir // set up unknown guest user current context => default permissions 502cdf0e10cSrcweir ContextLayer layer( new user_CurrentContext( getCurrentContext(), OUSTR("guest") ) ); 503cdf0e10cSrcweir ::fprintf( stderr, "[security test] multi-user checking guest..." ); 504cdf0e10cSrcweir check_defaults_pos( ac ); 505cdf0e10cSrcweir check_defaults_neg( ac ); 506cdf0e10cSrcweir ::fprintf( stderr, "guest checked.\n" ); 507cdf0e10cSrcweir } 508cdf0e10cSrcweir 509cdf0e10cSrcweir dispose( xContext ); 510cdf0e10cSrcweir ::fprintf( stderr, "security test succeeded.\n" ); 511cdf0e10cSrcweir return 0; 512cdf0e10cSrcweir } 513cdf0e10cSrcweir catch (Exception & exc) 514cdf0e10cSrcweir { 515cdf0e10cSrcweir OString str( OUStringToOString( exc.Message, RTL_TEXTENCODING_ASCII_US ) ); 516cdf0e10cSrcweir ::fprintf( stderr, "[security test] error: %s!\n", str.getStr() ); 517cdf0e10cSrcweir return 1; 518cdf0e10cSrcweir } 519cdf0e10cSrcweir } 520